Aug 08 2008

New U.S. “exit permit” scheme for visitors goes into effect

The Identity Project filed comments today with the DHS Bureau of Customs and Border Protection CBP) in opposition to the new Electronic System for Travel Authorization (ESTA) which went into effect this week.  According to our comments:

The essence of the ESTA rule is to require certain foreign citizens to obtain an exit permit from the United States government before they may leave their own country, or leave other countries.

In this rulemaking, the Bureau of Customs and Border Protection (CBP) of the Department of Homeland Security (DHS) is promulgating an interim final rule imposing a new requirement that “each nonimmigrant alien intending to travel by air or sea to the United States under the Visa Waiver Program (VWP) must … prior to embarking on a carrier for travel to the United States”, (a) provide specified data elements, in specified form and manner, to the CBP, and (b) “receive a travel authorization, which is a positive determination of eligibility to travel to the United States under the VWP, via the Electronic System for Travel Authorization (ESTA), from CBP.”

Under the interim final rule, “[a]n authorization under ESTA is not a determination that the alien is admissible to the United States” and is “not a determination of visa eligibility.” It would be granted, or not granted, by the CBP, in its sole, standardless, secret, and non-reviewable “discretion.” It would be required as a pre-condition for foreign citizens to “embark” from foreign countries if the CBP believes that they intend to apply (at some later time ) for admission to the U.S. under the VWP.

The Identity Project submits these comments because this CBP regulatory requirement that foreign citizens obtain permission from the U.S. in order to leave their own country, or a third country, (1) exceeds the statutory authority of the CBP; (2) exceeds the jurisdiction of the CBP; (3) is contrary to the obligations of the U.S. under the International Covenant on Civil and Political Rights and other international human rights, maritime, and aviation treaties; (4) has been promulgated without complying with the procedural requirements of Executive Order 13107 regarding Implementation of Human Rights Treaties, the Airline Deregulation Act, the Regulatory Flexibility Act, and the Administrative Procedure Act; (5) fails to consider or grossly underestimates many of the major costs of the rule, including its impact on small entities, business travelers, and other travelers; (6) is impermissibly vague, and (7) would be so impractical and unenforceable as to deprive it of any of the benefits claimed by the CBP.

The Identity Project urges the CBP to withdraw the interim final rule, in its entirety. If it does not withdraw the ESTA rule entirely, the CBP must complete the actions directed by Executive Order 13107, prepare the statutorily required analyses, publish them in a full Notice of Proposed Rulemaking (NPRM) , and provide a new opportunity for public comment, before finalizing any ESTA rule.

In their comments, airlines and travel agencies have objected that the CBP is “wrong” to implement the ESTA on an emergency basis, without the public notice and opportunity for public comment normally required for new Federal regulations.  But the CBP began accepting “voluntary” applications for travel authorizations, through a (still buggy) Web interface.  The CBP says they plan to issue an order later this year to make the ESTA system mandatory starting sometime in January 2009.

Countries that participate in the VWP, mainly in Western Europe, are still considering whether it amounts to a de facto visa requirement for their citixzens to visit the U.S.  This could prompt them to reciprocate by ending visa-free entry to their countries for U.S. visitors, and requiring U.S. visitors to apply for permission before embarking for Europe.

Aug 05 2008

“Trusted Traveler” Identification Program Loses Unencrypted Laptop and TSA’s Trust

A provider of the Transportation Security Administration’s Registered Traveler (RT) program has been suspended from enrolling new applicants after TSA learned “an unencrypted [Verified Identity Pass] laptop computer was discovered to be missing from San Francisco International Airport (SFO) on July 26. The computer contained pre-enrollment records of approximately 33,000 customers.”

Verified Identity Pass operated Registered Traveler under the name “Clear.” The program is supposed to improve air travel security by creating “trusted” individuals who could go through security more quickly because their identities would have been confirmed as “clean” through the program. However, experts have explained that this just creates incentive for criminals to figure out a way to get into the “trusted” group – whether by creating fake identities that can withstand the program’s check or by using individuals who have no previously found connection to terrorists or other criminals.

According to a Washington Post report, “The laptop had the names, addresses and driver’s license or passport numbers of mostly online applicants to the Registered Travel program.” However, Clear records can contain more than that, such as: credit card data, biometric data (fingerprints and iris scans), and previous home addresses for the past five years. Read More

Jul 28 2008

DHS Ignores OMB Government Approval Process on TSA’s Questionnaire Form for Travelers Without ID

Since June 21st, TSA has required all air travelers in the United States to present identification when entering a secure area at airports. Prior to then, a person could simply say they had lost their ID or didn’t want to show it, and they would be subjected to a secondary screening to enter the area. Now you can only get through security if you can convince TSA and their behavioral detection specialists that you lost or forgot your ID and are “cooperative” with their efforts to identify you by means of commercial data. Part of that process involves filling out their Certification of Identity form.

It appears that DHS has ignored the process of procuring an OMB (Office of Management and Budget) number for their new form. The OMB process requires publication of a notice in the Federal Register and the opportunity for public comment whenever the government gathers information from the public. The law clearly states that someone can’t be punished for failing to answer questions on a government form unless the questioning agency has an OMB number associated it. Despite this, TSA’s new Certification of Identity form states that failing to answer the questions may result in your inability to fly. Further, false statements made by travelers when using the form may be punishable by up to five years in prison. DHS is again showing that it doesn’t believe the rule of law applies to them. Read More

Jul 08 2008

TSA “identity verification” procedures

In a series of posts in their blog, the TSA has expanded on its claimed authority for the changes to “ID verification procedures” announced in a press release last month.

Lawmaking by press release exemplifies the evils of “secret law” which the Supreme Court declined to consider in Gilmore v. Gonzalez. The TSA now says that, “Our position is that Gilmore v. Gonzalez affirmed our ability to require ID for transportation via air and the law that formed TSA, the Aviation and Transportation Security Act (ATSA) empowers the TSA to make these decisions.”

In fact:

  1. The 9th Circuit Court of Appeals in Gilmore v. Gonzalez reached its decision without addressing whether it would have been permissible for the airline or the TSA (or anyone else) to require Mr. Gilmore to show evidence of his identity, or to prevent him from travelling if he failed to do so. The court found that, as of that time and in that particular case, Mr. Gilmore could have flown without showing ID. Read More
Jul 08 2008

Electronic System for Travel Authorization (ESTA)

In a Notice of Proposed Rulemaking (NPRM) in the Federal Register on June 9, 2008 (73 Federal Register 32440-32453), the Department of Homeland Security has proposed a new system for foreign citizens intending to visit the U.S without visas, and to enter the U.S. by air or sea, to apply for and receive an additional form of advance permission to travel to the U.S.

Effective August 8, 2008, a person “intending to travel to the United States by air or sea under the VWP [Visa Waiver Program]” will be permitted to apply in advance for an electronic “travel authorization”(ETA) from the DHS Bureau of Customs and Border Protection (CBP). The ETA application will contain “such information as the Secretary [of Homeland Security] deems necessary to issue a travel authorization, as reflected by the I–94W Nonimmigrant Alien Arrival/Departure Form (I–94W).”

Effective as of a date the CBP intends to specify in another Federal Register notice in early November 2008, at least 60 days after the publication of that follow-up notice but no later than January 12, 2009, each person with such intent will be required to (1) provide certain specified personal information, in specified form, to the CBP in an ETA application and (2) “receive a travel authorization [from the CBP] prior to embarking on a carrier for travel to the United States.”

While the proposed regulations would require travellers to apply for and obtain ETA’s, nothing in the NPRM would require the CBP to respond to or act on such applications at all, much less to do so with any specified timeliness. No standards or criteria for approval, denial, or inaction on an ETA application are specified; no particular decision-making entity within CBP is specified; no administrative appeal is provided for; and no court would have jurisdiction to review an ETA decision (although courts could, of course, review the legality of the program as a whole). Read More

Jul 07 2008

ACLU Marks Addition of One Millionth Name to Terrorist Watchlists

The massive U.S. terror watchlists will soon add their one millionth name and the ACLU will mark the day with an event on July 14th at the National Press Club involving innocent individuals who have been wrongly matched to the terrorist watchlists. The ACLU gets the one millionth number from a Department of Justice Inspector general report that said the watchlists included 700,000 names in April 2007 and the lists were growing by 20,000 names per month.

The Transportation Security Administration recently stated on its blog, “While the exact number of ‘no-flys’ is secret, there are many, many less than 500, 000.” The agency did not point to any documentation, merely asking the public to believe its numbers. The agency also did not estimate the number of individuals on the “selectee” list.

The Terrorist Screening Center maintains two terrorist watchlists, the “no fly” and “selectee” lists. Individuals on the “no fly” lists are deemed too dangerous to fly by the U.S. government. Individuals on the “selectee” lists must endure more invasive security screening before they are allowed to fly by the U.S. government. How individual names are added to the list is unknown. The government claims there is a redress process for individuals who are “mistakenly matched” to the watchlists, but it is cumbersome and opaque.

A number of innocent individuals including a nun, Senator Ted Kennedy, and former presidential candidate John Anderson have all been wrongly deemed suspects. Have you been caught in the watchlist web? Tell us your story. E-mail jph AT papersplease DOT org

Jun 28 2008

NY Times: US and Europe Near Agreement on Data Sharing

The New York Times has obtained a report showing that US and European negotiators are nearing an agreement on international sharing of private data.

The United States and the European Union are nearing completion of an agreement allowing law enforcement and security agencies to obtain private information — like credit card transactions, travel histories and Internet browsing habits — about people on the other side of the Atlantic Ocean. […]

Negotiators, who have been meeting since February 2007, have largely agreed on draft language for 12 major issues central to a “binding international agreement,” the report said. The pact would make clear that it is lawful for European governments and companies to transfer personal information to the United States, and vice versa.

The negotiators remain at odds on some issues, such as “what rights European citizens will have if the United States government violates data privacy rules or takes an adverse action against them — like denying them entry into the country or placing them on a no-fly list — based on incorrect personal information.”

It is unclear what standards both sides believe would adequately protect individuals’ civil liberties, including free speech and the right to travel.

David Sobel, a senior counsel with the Electronic Frontier Foundation, a nonprofit organization dedicated to data-privacy rights, said the administration’s depiction of the process of correcting mishandled data through agency procedures sounds “very rosy,” but the reality is that it is often impossible, even for American citizens, to win such a fight.

The story refers to transfers of data directly from entities in the the EU to the US government, and that’s where most of the attention has focused in recent EU/US disputes.  But in many cases, data is first transferred from the EU to commercial entities in the US (for example, from airline and travel agency offices in the EU to computerized reservation systems in the US) and only later, if at all, accessed by the US government from those US commercial entities.  Those commercial transfers violate EU data protection law, regardless of whether the US government also accesses the data.  It’s unclear form the Times story if the draft agreement would purport to immunize commerical entities engaging in such transfers.

It’s also unclear if the draft “agreement” would take the form of a treaty — ratified by the U.S. Senate, and enforceable in U.S. courts — or whether it would be another nonbinding DHS “undertaking” without legal effect.

The full New York Times story is here.

Jun 26 2008

D.C. ID Roadblock Case Filed

The Partnership for Civil Justice, a Washington DC-based public interest law firm, filed a class action lawsuit in the United States District Court for the District of Columbia seeking an injunction against the Metropolitan Police Department’s Neighborhood Safety Zone checkpoint program.

The lawsuit asserts that the roadblock program instituted in recent weeks is an unconstitutional suspicionless seizure of persons traveling on public roadways in the District of Columbia. The lawsuit also challenges the District’s use of these mass civil rights violations to collect and aggregate data on the movements, activities and associations of law abiding residents and visitors to the District and seeks expungement of this information.

If anyone has doubts about the danger of mission creep associated with a state’s compliance with the Real ID Act, they should be told about what’s going on here.  While this fiasco was initiated by local authorities, remember that §201(3) of the Real ID Act grants a sole individual (the Secretary of DHS) the authority to establish by fiat when and where “official” ID is required in the United States.

Copies of the Class Action Complaint, Mills v. District of Columbia, can be accessed here.

Jun 26 2008

Senate Judiciary Subcommittee on Constitution Holds Hearing on Border Searches

The Senate Judiciary Subcommittee on Constitution held a hearing on “Laptop Searches and Other Violations of Privacy Faced by Americans Returning from Overseas Travel.” Individuals innocent of any wrongdoing have increasingly been reporting that their laptops, smartphones and other electronic devices have been searched and seized by US Customs and Border Protection. The Washington Post reported in February:

The seizure of electronics at U.S. borders has prompted protests from travelers who say they now weigh the risk of traveling with sensitive or personal information on their laptops, cameras or cellphones. In some cases, companies have altered their policies to require employees to safeguard corporate secrets by clearing laptop hard drives before international travel.

At the Senate hearing, Subcommittee Chairman Sen. Russ Feingold summed up the situation succinctly: “Customs agents must have the ability to conduct even highly intrusive searches when there is reason to suspect criminal or terrorist activity, but suspicion-less searches of Americans’ laptops and similar devices go too far. Congress should not allow this gross violation of privacy.”

Various witnesses, including Susan Gurley, Executive Director of the Association of Corporate Travel Executives; Lee Tien, Senior Staff Attorney at the Electronic Frontier Foundation; and Peter P. Swire, Senior Fellow at the Center for American Progress, detailed the many privacy and civil liberty issues raised by suspicionless searches and seizures of electronic devices and data at the border.

Tien said that EFF agreed “the Fourth Amendment works differently at the border. But, ‘differently’ does not mean ‘not at all.’” EFF and the Asian Law Caucus have filed suit against the Department of Homeland Security (which oversees Customs and Border Protection) for denying access to public records on the questioning and searches of travelers and seizures of their property at U.S. borders. Read More

Jun 24 2008

First Reports Of What It’s Like Flying Without ID Arrive

Travelers who willingly refuse to show ID to the Transportation Security Administration are now barred from flying. The new rule went into effect over the weekend. Now, in order to board the plane after forgetting one’s driver’s license, it seems you have to answer questions about your political party affiliation and previous addresses. TSA’s press release said that “cooperative passengers” without ID may be subjected to additional screening protocols, including enhanced physical screening, enhanced carry-on and/or checked baggage screening, interviews with behavior detection or law enforcement officers and other measures. It turns out that “and other measures” include questions about political party affiliation and other questionable invasions of privacy, according to an article that appeared on Consumerist.

Finally satisfied that I didn’t have ID, Laurie took my boarding pass and went away. She came back a few minutes later having photocopied it, and also had an affidavit that she requested I sign. It asked for my name and address, and stated in small print at the bottom that I did not have to fill it out, but if I didn’t I couldn’t fly. It also said that if I choose to fill it out and then provided false info, I would be in violation of federal law.

After filling out the affidavit, Laurie called a service to verify my address. The service needed me to then correctly answer three questions about myself, which Laurie relayed to me. The first was my date of birth, the second was a previous address (which I only got right on my second try), and the third was “You are registered to vote. Which political party have you registered with?” I got all three right, and only then did Laurie clear me to go through security.

As there is no published law governing what conditions the TSA has now placed upon individuals who have the temerity to travel without ID, only by reports such as these will we be able to ascertain what’s playing on the screen today at our nation’s security theater. The cost of admission is but your civil liberty and common sense. Contact us with your story.